From: Patrick McHardy <kaber@trash.net>
To: davem@davemloft.net
Cc: netdev@vger.kernel.org, netfilter-devel@lists.netfilter.org,
Patrick McHardy <kaber@trash.net>
Subject: [PATCH 11/13]: [NETFILTER]: Handle NAT in IPsec policy checks
Date: Sun, 20 Nov 2005 17:31:42 +0100 [thread overview]
Message-ID: <20051120163142.16666.14733.sendpatchset@localhost.localdomain> (raw)
In-Reply-To: <20051120163128.16666.38111.sendpatchset@localhost.localdomain>
[NETFILTER]: Handle NAT in IPsec policy checks
Handle NAT of decapsulated IPsec packets by reconstructing the struct flowi
of the original packet from the conntrack information for IPsec policy
checks.
Signed-off-by: Patrick McHardy <kaber@trash.net>
---
commit 8b46eb2d8365ab18cc965f37681033162a834fe5
tree 5e8b46d5acd6fa4b1445f181fcf8bce94cade5b0
parent 3f615f37e68903f0eea66f5b242bfbb1875ee204
author Patrick McHardy <kaber@trash.net> Sat, 19 Nov 2005 22:09:15 +0100
committer Patrick McHardy <kaber@trash.net> Sat, 19 Nov 2005 22:09:15 +0100
include/linux/netfilter.h | 16 ++++++++++
net/ipv4/netfilter.c | 3 ++
net/ipv4/netfilter/ip_nat_standalone.c | 50 +++++++++++++++++++++++++++++++-
net/xfrm/xfrm_policy.c | 2 +
4 files changed, 69 insertions(+), 2 deletions(-)
diff --git a/include/linux/netfilter.h b/include/linux/netfilter.h
index be365e7..cc9ee97 100644
--- a/include/linux/netfilter.h
+++ b/include/linux/netfilter.h
@@ -261,6 +261,20 @@ struct nf_queue_rerouter {
extern int nf_register_queue_rerouter(int pf, struct nf_queue_rerouter *rer);
extern int nf_unregister_queue_rerouter(int pf);
+#include <net/flow.h>
+extern void (*ip_nat_decode_session)(struct sk_buff *, struct flowi *);
+
+static inline void
+nf_nat_decode_session(struct sk_buff *skb, struct flowi *fl, int family)
+{
+#ifdef CONFIG_IP_NF_NAT_NEEDED
+ void (*decodefn)(struct sk_buff *, struct flowi *);
+
+ if (family == AF_INET && (decodefn = ip_nat_decode_session) != NULL)
+ decodefn(skb, fl);
+#endif
+}
+
#ifdef CONFIG_PROC_FS
#include <linux/proc_fs.h>
extern struct proc_dir_entry *proc_net_netfilter;
@@ -269,6 +283,8 @@ extern struct proc_dir_entry *proc_net_n
#else /* !CONFIG_NETFILTER */
#define NF_HOOK(pf, hook, skb, indev, outdev, okfn) (okfn)(skb)
static inline void nf_ct_attach(struct sk_buff *new, struct sk_buff *skb) {}
+static inline void
+nf_nat_decode_session(struct sk_buff *skb, struct flowi *fl, int family) {}
#endif /*CONFIG_NETFILTER*/
#endif /*__KERNEL__*/
diff --git a/net/ipv4/netfilter.c b/net/ipv4/netfilter.c
index 8fda96a..b66856d 100644
--- a/net/ipv4/netfilter.c
+++ b/net/ipv4/netfilter.c
@@ -134,6 +134,9 @@ drop:
}
#endif /* CONFIG_XFRM */
+void (*ip_nat_decode_session)(struct sk_buff *, struct flowi *);
+EXPORT_SYMBOL(ip_nat_decode_session);
+
/*
* Extra routing may needed on local out, as the QUEUE target never
* returns control to the table.
diff --git a/net/ipv4/netfilter/ip_nat_standalone.c b/net/ipv4/netfilter/ip_nat_standalone.c
index b518697..8b8a1f0 100644
--- a/net/ipv4/netfilter/ip_nat_standalone.c
+++ b/net/ipv4/netfilter/ip_nat_standalone.c
@@ -55,6 +55,44 @@
: ((hooknum) == NF_IP_LOCAL_IN ? "LOCAL_IN" \
: "*ERROR*")))
+#ifdef CONFIG_XFRM
+static void nat_decode_session(struct sk_buff *skb, struct flowi *fl)
+{
+ struct ip_conntrack *ct;
+ struct ip_conntrack_tuple *t;
+ enum ip_conntrack_info ctinfo;
+ enum ip_conntrack_dir dir;
+ unsigned long statusbit;
+
+ ct = ip_conntrack_get(skb, &ctinfo);
+ if (ct == NULL)
+ return;
+ dir = CTINFO2DIR(ctinfo);
+ t = &ct->tuplehash[dir].tuple;
+
+ if (dir == IP_CT_DIR_ORIGINAL)
+ statusbit = IPS_DST_NAT;
+ else
+ statusbit = IPS_SRC_NAT;
+
+ if (ct->status & statusbit) {
+ fl->fl4_dst = t->dst.ip;
+ if (t->dst.protonum == IPPROTO_TCP ||
+ t->dst.protonum == IPPROTO_UDP)
+ fl->fl_ip_dport = t->dst.u.tcp.port;
+ }
+
+ statusbit ^= IPS_NAT_MASK;
+
+ if (ct->status & statusbit) {
+ fl->fl4_src = t->src.ip;
+ if (t->dst.protonum == IPPROTO_TCP ||
+ t->dst.protonum == IPPROTO_UDP)
+ fl->fl_ip_sport = t->src.u.tcp.port;
+ }
+}
+#endif
+
static unsigned int
ip_nat_fn(unsigned int hooknum,
struct sk_buff **pskb,
@@ -330,10 +368,14 @@ static int init_or_cleanup(int init)
if (!init) goto cleanup;
+#ifdef CONFIG_XFRM
+ BUG_ON(ip_nat_decode_session != NULL);
+ ip_nat_decode_session = nat_decode_session;
+#endif
ret = ip_nat_rule_init();
if (ret < 0) {
printk("ip_nat_init: can't setup rules.\n");
- goto cleanup_nothing;
+ goto cleanup_decode_session;
}
ret = nf_register_hook(&ip_nat_in_ops);
if (ret < 0) {
@@ -381,7 +423,11 @@ static int init_or_cleanup(int init)
nf_unregister_hook(&ip_nat_in_ops);
cleanup_rule_init:
ip_nat_rule_cleanup();
- cleanup_nothing:
+ cleanup_decode_session:
+#ifdef CONFIG_XFRM
+ ip_nat_decode_session = NULL;
+ synchronize_net();
+#endif
return ret;
}
diff --git a/net/xfrm/xfrm_policy.c b/net/xfrm/xfrm_policy.c
index e441f35..8351bb0 100644
--- a/net/xfrm/xfrm_policy.c
+++ b/net/xfrm/xfrm_policy.c
@@ -22,6 +22,7 @@
#include <linux/workqueue.h>
#include <linux/notifier.h>
#include <linux/netdevice.h>
+#include <linux/netfilter.h>
#include <linux/module.h>
#include <net/xfrm.h>
#include <net/ip.h>
@@ -938,6 +939,7 @@ int __xfrm_policy_check(struct sock *sk,
if (xfrm_decode_session(skb, &fl, family) < 0)
return 0;
+ nf_nat_decode_session(skb, &fl, family);
/* First, check used SA against their selectors. */
if (skb->sp) {
next prev parent reply other threads:[~2005-11-20 16:31 UTC|newest]
Thread overview: 54+ messages / expand[flat|nested] mbox.gz Atom feed top
2005-11-20 16:31 [PATCH 00/13]: Netfilter IPsec support Patrick McHardy
2005-11-20 16:31 ` [PATCH 01/13]: [NETFILTER]: Remove okfn usage in ip_vs_core.c Patrick McHardy
2005-11-20 16:31 ` [PATCH 02/13]: [NETFILTER]: Call POST_ROUTING hook before fragmentation Patrick McHardy
2005-11-20 16:31 ` [PATCH 03/13]: [IPV4]: Replace dst_output by ip_dst_output Patrick McHardy
2005-11-20 16:31 ` [PATCH 04/13]: [IPV6]: Replace dst_output by ip6_dst_output Patrick McHardy
2005-11-20 16:31 ` [PATCH 05/13]: [IPV4/6]: Netfilter IPsec output hooks Patrick McHardy
2005-11-22 4:40 ` Herbert Xu
2005-11-22 4:53 ` Patrick McHardy
2005-11-22 5:13 ` Patrick McHardy
2005-11-22 10:30 ` Herbert Xu
2005-11-22 10:31 ` Herbert Xu
2005-11-22 12:13 ` Herbert Xu
2005-11-28 1:07 ` Patrick McHardy
2005-11-28 4:56 ` Herbert Xu
2005-11-28 12:25 ` Patrick McHardy
2005-12-04 22:09 ` Patrick McHardy
2005-12-04 22:15 ` Herbert Xu
2005-11-20 16:31 ` [PATCH 06/13]: [IPV4/6]: Netfilter IPsec input hooks Patrick McHardy
2005-11-21 4:42 ` Yasuyuki KOZAKAI
[not found] ` <200511210442.jAL4gPoO001846@toshiba.co.jp>
2005-11-21 6:52 ` Patrick McHardy
2005-11-21 7:00 ` David S. Miller
2005-11-21 7:47 ` Herbert Xu
2005-11-21 16:52 ` Patrick McHardy
2005-11-21 10:53 ` Yasuyuki KOZAKAI
[not found] ` <200511211053.jALAro04019574@toshiba.co.jp>
2005-11-21 16:34 ` Patrick McHardy
[not found] ` <438185ED.3050005@miyazawa.org>
2005-11-21 8:50 ` YOSHIFUJI Hideaki / 吉藤英明
2005-11-21 16:29 ` Patrick McHardy
2005-12-01 1:27 ` Herbert Xu
2005-12-04 22:06 ` Patrick McHardy
2005-12-04 22:10 ` Herbert Xu
2005-12-04 22:49 ` Patrick McHardy
2005-11-20 16:31 ` [PATCH 07/13]: [NETFILTER]: Fix xfrm lookup in ip_route_me_harder/ip6_route_me_harder Patrick McHardy
2005-11-28 21:06 ` Herbert Xu
2005-11-29 7:02 ` Patrick McHardy
2005-11-29 7:34 ` Herbert Xu
2005-11-29 7:49 ` David S. Miller
2005-11-29 11:31 ` Herbert Xu
2005-11-20 16:31 ` [PATCH 08/13]: [NETFILTER]: Use conntrack information to determine if packet was NATed Patrick McHardy
2005-11-20 16:31 ` [PATCH 09/13]: [NETFILTER]: Redo policy lookups after NAT when neccessary Patrick McHardy
2005-11-20 16:43 ` Patrick McHardy
2005-11-20 16:31 ` [PATCH 10/13]: [NETFILTER]: Keep the conntrack reference until after policy checks Patrick McHardy
2005-11-20 16:31 ` Patrick McHardy [this message]
2005-11-20 16:31 ` [PATCH 12/13]: [NETFILTER]: Export ip6_masked_addrcmp, don't pass IPv6 addresses on stack Patrick McHardy
2005-11-20 16:31 ` [PATCH 13/13]: [NETFILTER]: Add ipt_policy/ip6t_policy matches Patrick McHardy
[not found] ` <200511201902.10179.lists@naasa.net>
2005-11-20 18:07 ` [PATCH 00/13]: Netfilter IPsec support Patrick McHardy
2005-11-22 22:34 ` David S. Miller
2005-11-22 22:38 ` YOSHIFUJI Hideaki / 吉藤英明
2005-11-23 1:20 ` Patrick McHardy
2005-11-23 1:17 ` Patrick McHardy
2005-11-23 1:35 ` Herbert Xu
2005-11-23 3:36 ` David S. Miller
2005-11-23 4:47 ` Herbert Xu
2005-11-23 4:52 ` Yasuyuki KOZAKAI
2005-11-23 3:35 ` David S. Miller
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20051120163142.16666.14733.sendpatchset@localhost.localdomain \
--to=kaber@trash.net \
--cc=davem@davemloft.net \
--cc=netdev@vger.kernel.org \
--cc=netfilter-devel@lists.netfilter.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).